EDPB & EDPS Issue Joint Opinion on EU Digital Omnibus: Key Concerns for GDPR Compliance

What Happened: EDPB and EDPS Issue Joint Opinion on EU Digital Omnibus

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint opinion on the proposed EU digital omnibus regulation, which aims to simplify the EU's digital regulatory framework, reduce administrative burdens, and enhance competitiveness. While supporting certain aspects like increased thresholds for data breach notifications and extended notification deadlines to reduce administrative load, they raise significant concerns about proposed changes to the GDPR definition of personal data.

The regulators specifically warn against modifications that could restrict the scope of personal data protection, create legal uncertainty, and negatively impact fundamental rights. Their opinion evaluates impacts on GDPR, the Law Enforcement Directive, ePrivacy Directive, and broader data protection acquis, assessing whether the proposal provides genuine simplification, legal security, and respects fundamental rights.

Why It Matters: Potential Impacts on Data Privacy Regulations

The joint opinion highlights several critical issues that could affect GDPR compliance for businesses operating in the EU. The proposed changes to the personal data definition represent the most significant concern, as they could potentially narrow the scope of what constitutes protected personal data under Regulation (EU) 2016/679 (GDPR).

This matters because:

• Legal Uncertainty: Changes that contradict established Court of Justice of the European Union (CJEU) jurisprudence, particularly regarding pseudonymization decisions, could create confusion for organizations trying to comply with data protection requirements.
• Enforcement Gaps: A restricted definition of personal data could create gaps in enforcement and undermine the comprehensive protection framework established by GDPR.
• Fundamental Rights Impact: The EDPB and EDPS emphasize that any modifications must respect fundamental rights to data protection, which could be compromised if the proposal goes beyond targeted technical adjustments.

While the regulators support administrative simplifications like extended breach notification deadlines, they caution against changes that could weaken the core protections of GDPR. This creates a complex landscape for businesses that must balance compliance efficiency with robust data protection practices.

What Organizations Should Do: Preparing for GDPR Compliance in 2026

As the digital omnibus proposal moves through the legislative process, organizations should take proactive steps to prepare for potential changes to GDPR compliance requirements. While the final regulation may not be fully applicable until 2026 or later, early preparation is essential.

Action Items for Businesses:

1. Monitor Legislative Developments: Track the progress of the digital omnibus proposal through EU institutions, paying particular attention to how concerns raised by the EDPB and EDPS are addressed in final texts.
2. Review Data Processing Practices: Conduct a thorough review of current data processing activities to identify areas that might be affected by changes to the personal data definition or other GDPR provisions.
3. Update Compliance Frameworks: Prepare to update data protection impact assessments (DPIAs), privacy notices, and internal policies to reflect any regulatory changes that emerge from the final omnibus regulation.
4. Strengthen Documentation: Ensure robust documentation of data processing activities and compliance measures, as this will be crucial for demonstrating compliance under potentially modified regulations.
5. Engage with Legal Counsel: Consult with data protection experts to understand how proposed changes might affect specific business operations and compliance obligations.

Organizations should also consider how these potential changes interact with other regulatory developments, including the EU AI Act (Regulation (EU) 2024/1689) which includes specific provisions for AI systems that process personal data. The classification of AI systems used in recruitment/HR as HIGH-RISK under Annex III of the AI Act creates additional compliance considerations for businesses using such technologies.

Related Resources and Next Steps

Staying ahead of evolving data privacy regulations requires continuous monitoring and adaptation. The joint opinion from the EDPB and EDPS serves as an important indicator of regulatory priorities and potential compliance challenges on the horizon.

For organizations seeking to navigate these complex requirements, OneTrust and TrustArc offer comprehensive compliance management platforms that can help streamline GDPR compliance processes. These tools can assist with data mapping, consent management, and regulatory reporting as requirements evolve.

To stay informed about real-time regulatory updates and compliance guidance, consider leveraging AIGovHub's data privacy monitoring tools. Our platform provides timely alerts on regulatory changes, helping organizations maintain compliance as the digital omnibus proposal and other regulations progress toward implementation.

For more information on related compliance topics, explore our guides on EU AI Act compliance and EU Data Act guidelines, which address intersecting regulatory requirements in the digital landscape.

This content is for informational purposes only and does not constitute legal advice. Organizations should consult with legal counsel for specific compliance guidance.

Some links in this article are affiliate links. See our disclosure policy.